Re: [Mailman-Users] Users being unsubscribed without requesting it.
In article <7e0bd0e4-b837-4d76-3c14-a0b6dfda9...@tnetconsulting.net> you write: >-=-=-=-=-=- >-=-=-=-=-=- > >On 08/21/2017 02:08 PM, John Levine wrote: >> which defines a one-click opt-out link that uses POST rather than GET, >> since the URL malware fetchers all do GETs. > >Why do single click? Why not do confirmed? You can read RFC 8058 and find out about the specific problem it addresses. https://www.rfc-editor.org/info/rfc8058 R's, John -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Users being unsubscribed without requesting it.
On 08/21/2017 02:08 PM, John Levine wrote: There are plenty of anti-spam schemes that fetch all the URLs in a message to see whether they're malicious. That's why ESPs usually have a landing page with a confirm link, and why we wrote RFC 8058 which defines a one-click opt-out link that uses POST rather than GET, since the URL malware fetchers all do GETs. Why do single click? Why not do confirmed? I.e. you go to a page that asks you to "Click here to confirm that you want to unsubscribe."? I never understood the problem with (what I consider to be) double opt in / out. I'd also worry that the POST method is not distinct enough compared to GET. (At least compared to double opt out.) -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Users being unsubscribed without requesting it.
In article <201708210145.v7l1io7x003...@fire.js.berklix.net> you write: >> Maybe this would foil ISPs who are automatically following this link to >> unsubscribe people. Do ISPs really do this? There are plenty of anti-spam schemes that fetch all the URLs in a message to see whether they're malicious. That's why ESPs usually have a landing page with a confirm link, and why we wrote RFC 8058 which defines a one-click opt-out link that uses POST rather than GET, since the URL malware fetchers all do GETs. R's, John -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org